ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

android-agent

v1.1.1

Control a real Android phone via USB or network using GPT-4o vision to run tasks like opening apps, typing, tapping, and automation scripts.

4· 909·1 current·1 all-time
byHarshil Mathur@harshilmathur
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose—remote control of an Android phone via ADB and GPT-4o vision—aligns with the included scripts and Python code which use ADB and DroidRun. However the registry metadata at the top of the package claimed no required binaries or env vars, whereas skill.json and SKILL.md do declare requirements (adb, python3, OPENAI_API_KEY, droidrun). This metadata mismatch is an incoherence the user should be aware of.
!
Instruction Scope
The SKILL.md and run-task.py capture device screenshots and call DroidRun/OpenAI (OPENAI_API_KEY required). That means screen contents (potentially sensitive banking, messages, 2FA codes, etc.) will be processed by the external LLM provider through the droidrun library. The instructions also ask the user to install a Portal APK that requires Accessibility permissions on the phone—a high-privilege action that allows broad UI access. These behaviors are consistent with the skill's purpose but are high-impact and can expose sensitive data; the SKILL.md does not provide explicit warnings about sensitive data exfiltration or guidance on limiting what is shown to the model.
Install Mechanism
No platform install spec is embedded, but the SKILL.md and requirements.txt instruct pip install -r requirements.txt which will fetch droidrun and openai from PyPI (moderate risk). The Portal APK is recommended to be downloaded from GitHub releases (expected). No arbitrary personal server downloads are present. The mismatch between the top-level 'no required binaries' and skill.json's requirements is an installation-coherence issue to resolve.
Credentials
The only required credential is OPENAI_API_KEY (consistent with model use). Optional env vars ANDROID_PIN and ANDROID_SERIAL are reasonable for automation, but recommending storing a phone PIN in an environment variable is sensitive and risky. There are no unrelated credentials requested. The package metadata mismatch (missing declared bins/env at top) is a minor proportionality inconsistency.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent config. It runs as an instruction-driven tool. However, installing the DroidRun Portal on the phone requires granting Accessibility Service permissions, which persist on-device and grant broad interaction/reading capabilities—this is expected for the tool but is a significant device-side privilege and should be treated as such.
What to consider before installing
This skill appears to do what it says (control a phone via ADB and use an LLM), but take these precautions before installing: - Verify the source: the package lists a homepage/source but your top-line metadata said 'unknown' — confirm you trust the author/repository (check the GitHub repo and recent releases). - Expect sensitive data to flow to the LLM: screenshots and UI state are processed by DroidRun/OpenAI. Do not use this on a phone with banking apps, personal messages, or active 2FA tokens unless you accept that risk. - Accessibility permission is powerful: installing the Portal APK and granting Accessibility access gives the app broad ability to read and interact with other apps—uninstall or revoke permissions when not in use. - Avoid storing PINs in env vars on long-lived machines. If you must automate unlocks, prefer manual unlock or ephemeral/throwaway PIN use; treat ANDROID_PIN as highly sensitive. - Run the skill on an isolated/trusted gateway machine (e.g., dedicated Raspberry Pi) rather than your primary workstation to limit blast radius. - Inspect the included code (run-task.py and droidrun usage) yourself: confirm no hidden network endpoints or unexpected telemetry. Consider running pip installations in a virtualenv and review the droidrun dependency. - Use a scoped or ephemeral OPENAI_API_KEY if possible and monitor usage; revoke the key after testing. - Resolve manifest inconsistencies: confirm required binaries (adb, python3) and env vars before running; the discrepancy in declared requirements is a red flag for sloppy packaging. If you understand and accept these risks (and verify the origin), the functionality is coherent with its goal; otherwise treat this skill as risky and avoid giving it access to sensitive devices or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk979apyf1rxwg12d229smspzyx819sgw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments